AmneziaWG on OPNsense and routing

Started by phprus, February 16, 2026, 04:11:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 16, 2026, 04:11:17 PM
Hello!

I'm installing AmneziaWG on OPNsense.

I've compiled the AmneziaWG packages for OPNsense:

https://www.freshports.org/net/amnezia-tools/
https://www.freshports.org/net/amnezia-kmod/
https://www.freshports.org/net/amneziawg-go/

With some modifications, I've compiled a plugin package:
https://github.com/antspopov/opnsense_amnezia_plugin

I plan to create a PR for this in opnsense/plugins in the future.

I'm currently experiencing a routing issue.
If the VPN server doesn't provide the gateway IP (meaning we only know the IP on the interface), then the standard routing mechanism of adding routes and/or setting the gateway in firewall rules stops working.

I decided to try using a second routing table.

I set net.fibs=2, configured AmneziaWG to use routing table 1, and got the following routes:

Code Select
# netstat -rn -F 1
Routing tables (fib: 1)

Internet:
Destination        Gateway            Flags         Netif Expire
default            link#7             US            awg0

Internet6:
Destination        Gateway            Flags         Netif Expire
default            link#7             US            awg0


To test, I configured the LAN interface to use fib 1:

Code Select
ifconfig em1 fib 1

All LAN traffic is correctly routed through the tunnel.

Next, I tried to replicate this using pf, manually adding a rule immediately after "# [prio: 1]":

Code Select
pass in log on em1 inet from {(em1:network)} to $to_awg no state rtable 1

I loaded all the rules into pf, but the new rule didn't work. Traffic isn't being redirected. I don't see the captured packets in the log. I can't figure out what the problem is.

pf sees the following rule:

Code Select
# pfctl -s rules | grep rtable
pass in log on em1 inet from (em1:network) to <to_awg> no state rtable 1

Please tell me how to use pf to capture traffic based on the "to $to_awg" condition so that it sets rtable to 1. I want to capture both LAN traffic and OPNsense process traffic, such as Unbound.
February 16, 2026, 09:54:13 PM #1
> With some modifications, I've compiled a plugin package:
> https://github.com/antspopov/opnsense_amnezia_plugin

I applaud your efforts but I think we have enough WG implementations in the plugin system now.


Cheers,
Franco
Print
Go Up Pages1
User actions